Slashdot videos: Now with more Slashdot!

View

Discuss

Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

An anonymous reader writes "Last week's linux.conf.au saw the return of the rogue access points. These are Wi-Fi access points which bear the same SSID as official conference hotspots. Often it might be a simple mistake, but sometimes it's more nefarious. To combat the attacks this year, conference organisers installed a Linux-based Wi-Fi 'intrusion prevention and detection system' supplied by sponsor Xirrius." At most conferences I've been to, I'd be grateful just to be able to get on any access point.

Cisco's WLSE has APs dedicated to TDOA and cleanair.. you can upload a CAD drawing of the building and pinpoint where exactly your TDOA aps are at and it will show you exactly where (on a virtual drawing) the rouge AP or client is.

Cisco's WLSE has APs dedicated to TDOA and cleanair.. you can upload a CAD drawing of the building and pinpoint where exactly your TDOA aps are at and it will show you exactly where (on a virtual drawing) the rouge AP or client is.

Cisco WLSE and WLC are completely different products that do different things. WLC is a wireless LAN controller that does all the radio management in hardware with lightweight APs. WLSE is an old software platform that tells IOS APs to change channels. WCS is the spiritual successor to WLSE.

That's not really a differentiating feature, there are a quite a few companies that have the similar capabilities and are more accurate that Cisco. I find Cisco's wireless security offerings to be pretty damn weak. They target a very small slice of WLAN issues and exploits (granted, they are typically the most severe), than other vendors who focus solely on security.

For WLAN Cisco is adequate (I have issues with some of their config and engineering choices), but for WIPS/WIDS I can think of perhaps two (

He wasn't (unless my understanding is wrong, of course) commenting on the expense of the equipment, he was commenting on the fact that the parent post looked like a very amateur paid shill. A worthwhile informative post would not have simply stated "we use this stuff, here go look at this link", it would explain how that equipment was pertinent to the article at hand. Perhaps it makes solving the problem easier in some way, if so he could have stated that rather than

android phone + cyanogenmod + grandfathered verizon unlimited data plan = "it may not be perfect, but it gets the job done and it is still way better than the dialup connection I used back in the day."

unless I'm in some building shielded with sandwiched lead sheets or something. in which case, hell, screw it, time to read an ebook.

Just window foil and energy efficient windows in a concrete/steel building will do it. I work for a mobile telco and we can't get any 3G at all inside the building, getting GSM900 reception is a struggle. It's so bad, we can't even use our cell phones in 90% of the rooms.

My company has a branch in another city that I occasionally have to visit. Office is on the 34th floor of a rather new building. reception there is atrocious. I wonder if it's got the same problems you're talking about.

When scouting out a new location for my company's business in this city, one of the first things I test is 3g signal strength for that reason.

here, our telcos sell us devices that we're locked out of by default, with features that are built into the operating system disabled, so that we can pay the telco stupid amounts of money to turn back on.

or we just say "screw the warantee, I own this device, I'm going to do with it what I damn well please" and flash a cleaned-up rooted version of the OS on it.

Where do you get the public key? Why is that source more trusted than the source of the SSID?

There was a fad a couple years back of handing out little circuit boards with "stuff" on them at cons. I could see the next HOPE conference handing out ID necklaces with a little cheap USB flash drive as the "I paid my entrance fee" physical token.

At work its simpler, you preload your standard system image with the key.

Already done; but not really designed for the 'open' deployment scenario:

WPA2 (if you flip the switch to "enterprise", this is exactly the sort of hassle that gets left out in order for things to Just Work and not get returned to the store by frustrated Joe User) adds 802.1X authentication, which includes validation of the authentication server's certificate.

Trouble is, all that stuff is basically aimed at a big serious corporate deployment, where everybody has a username and password and things are c

I have a unique perspective on this problem as I do shows as well. The idea is, you have one set of access points that provide service, one set that monitor, and one set for active interference with rogue APs. When a rogue AP starts broadcasting you blanket the exact frequency and change neighboring service access points to channels that are on the other side of the spectrum. This works great in practice against regular people popping a linksys when they only pay for one Internet connection.

As wi-fi becomes a mainstream Internet on-ramp when you're out and about, I think the rogue AP issue needs to be addressed FAR better than it is today. As the story's submitter said, tech. conferences might be the least of the problem since most of the time, you've got a massive flood of wi-fi usage attempts concentrated under one roof at such things. The tech-savvy will already plan on other forms of connectivity (such as 3G or 4G cellular). Plus, the vast majority of conference-goers are trying to send photos, video or blog entries of the happenings... not taking out time to do their online banking, shopping or what-not. So rogue sites trying to scape for data are less likely to capture anything really useful.

My co-workers have started asking me, "How do I know if it's safe to connect to a wi-fi hotspot when I'm traveling?"... and I'm realizing the answer isn't very clear-cut. I can advise them that certain companies contract to provide thousands of APs for chain restaurants, and typically have an AP identifying themselves as such. (You'll often see an SSID of "wayport" at a McDonalds for example.) But beyond that, the average laptop or smartphone user really doesn't even think about someone spoofing a legitimate-looking SSID. I've even run across such things as multiple SSIDs showing up with no password at our airport, where I knew at least 1 or 2 of them were fakes. (One had an SSID of "airport wifi", as I recall, when I know our airport only provides wifi in the terminal waiting area via AT&T - who would NOT name it anything like that.)

Have an SSH server somewhere, and tunnel everything through that; this is the equivalent of using a VPN. If you see host key warnings, then abort -- better than the headache of dealing with someone pwning your bank account.

Have an SSH server somewhere, and tunnel everything through that; this is the equivalent of using a VPN. If you see host key warnings, then abort -- better than the headache of dealing with someone pwning your bank account.

Good methodology for those of us who actually (at least half-assed) understand how this internet stuff works.

However, that won't cover the vast majority of 'casual' users, i.e. regular folks... at least, not until "there's an app for that."

All networks are hostile until proven otherwise. The solution is an encrypted tunnel back to a secure network. VPN or SSH tunneling are both easy to set up and use.

So what do you recommend to the average traveler that doesn't have corporate VPN/ssh tunneling? Is there a solution for mom/dad/grandma/grandpa who are traveling with their iPad/laptop. Or even going to Starbucks etc..?

Arguably, trying to solve this problem at the AP level is something of a fool's errand. There are easily thousands upon thousands of entities running non-malicious access points, many of which the user would have not the slightest reason to be able to judge the legitimacy of(Hotel Chain A might entirely plausibly hire ObscurePoint Access LLC to run their wifi, so name recognition won't help you much, and SSL wont' be too useful because, even when it works, that only helps prevent spoofing of a name, it does

And now you need either a static IP for the home router or to sign up for a dynamic IP tracking service. And even that little bit of terminology and requirement will stump most home users -- unless that gets rolled in with the auto setup USB magic.

True. My thinking, rough draft, is that the router would go and sign itself up for a dynamic DNS service(presumably bundled into the cost of the device by the manufacturer and, since the configuration would be handled automatically by the config file, the hostname needn't be memorable in the slightest SHA1-of-something.vendor.com style addresses wouldn't exactly be scarce...) when the first VPN key is requested.

It is certainly a rough-cut approximation of a plan, it just seems a pity that all the ingredi

How do I know if it's safe to connect to a wi-fi hotspot when I'm traveling?

It's always safe to connect. It's what you do once connected that matters.

Unfortunately devices now do so many things automatically that you can easily get in trouble without knowing it. Auto-poll for new Email/Twitter/Facebook/AppStore content? You'd better hope that polling uses a complete and robust SSL implementation.

Depending on your definition of "safe", even just looking at cat pictures can be unsafe if the hotspot decides to replace all images with goatse.

why would the legimate ap be any better than the "illegimate ap".if doing banking, you should use encryption and one time codes anyways.

anyhow - a conference holder could for example make an application for android, win and ios that would detect the legit ap's and do a handshake with them. but then the problem becomes how do you distribute that app - and it's not like you can trust anyone connecting to that network anyhow.

This is a huge advantage of blackberry over android and iOS, regardless of any hostile access point everything goes through a secure tunnel to the BIS servers, the downside is on rare occasions. the service has trouble despite being able to connect to the internet

this is not just for wifi connections, there are not technical measures in place to allow a phone to validate a cell tower it is connected to and hostile/sniffer towers already exist.

I would have hoped all the normal standard practices would protect you almost totally from this....
Don't use an important password except over https where your browser doesn't raise red flags.
Use a VPN or ssh to connect to servers that are important to you.
Seems the same practices that protect you from your normal ISP would protect you from rogue access points too, no?

Airespace had something where you could actively "discourage" or otherwise overwhelm the rogue AP within a defined area. Now that Cisco took over, it's just a "spot the rogue, hope you're right" type of deal.

One wonders if Cisco's legal chaps got a trifle nervous about shipping a system that involved quite-possibly-subject-to-CFR 47 15.5 [gpo.gov] device or devices intentionally causing interference to other such devices...

In particular, I'd be a trifle leery of the possibility that I was contravening the letter, as well as the spirit, of part B:

"(b) Operation of an intentional, unintentional, or incidental
radiator is subject to the conditions that no harmful interference is
caused and that interference must be ac

And yet, wifi coverage was fairly spotty for the conference. Some of those access points definitely weren't working, you'd have to manually choose which MAC address to use, or point your antenna in a different direction before you could connect properly.

If you wanted to setup a rouge AP, you could probably get away with it in the corridors. Though you wouldn't be able to hack everyone, there were plenty of people hanging around outside the main halls checking emails etc.

From the point of view of the infrastructure/security go-to man for a small company, what options are there for locating unauthorised APs? We scan for unauthorised MAC addresses turning up on the network so an alert goes out if something unwanted is plugged into the LAN, but that wouldn't detect a soft-AP running on an otherwise expected machine (nor would it spot a device with a faked MAC, but that is another matter). Are there any reliable methods of picking up on new APs turning up (even those that are n

Yes, there were a lot of "rogue" DHCP servers at LCA, although a better term might be miss-configured because I am almost certain it wasn't deliberate. But the story neglects to mention the reason. Attendees were invited to set up wireless access points because the accommodation didn't provide wireless. There were I guess 20 or 30 units, and I be surprised if every one of those units didn't have at least 1 AP set up by a community minded resident. It is inevitable that some of those will have forgotten

When I use a public wireless access point, my networking scripts immediately set up an OpenVPN tunnel and make that the default route. If you don't route all your traffic over a VPN when you use public wireless of any kind, you're asking for trouble.